LightDM unable to start VNC Server when SELinux is in enforcing mode

Hey there!

I want to use LightDMs integrated VNC function so I configured it in /etc/lightdm/lightdm.conf:

[VNCServer]
enabled=true
command=Xvnc -rfbauth /etc/vncpasswd
port=5900
listen-address=127.0.0.1
width=1920
height=1080
depth=24

I installed tigervnc-server, created the password file and restarted the system.
After the reboot sudo systemctl status lightdm shows the following errors:

Nov 05 22:40:32 myserver lightdm[6227]: Failed to create IPv4 VNC socket: Error binding to address 127.0.0.1:5900: Permission denied
Nov 05 22:40:32 myserver lightdm[6227]: Failed to create IPv6 VNC socket: Error binding to address 127.0.0.1:5900: Permission denied

I have no experience with SELinux so I did some searching and found some debug commands:

sudo ausearch -c 'vncsession' --raw
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent

Both don’t give any results.

However, if I set SELinux to permissive, the vnc server starts just fine and I can connect to it.

tigervnc-selinux is installed.

So my question is: Did I hit a bug or is this expected behaviour and I’m just incompetent?

Any help or hints are appreciated. Thanks!

selinux hinzugefügt

Ok, I found a solution. All necessary commands are in the docs :wink:
Troubleshooting Problems Related to SELinux :: Fedora Docs

I had to temporarily disable dontaudit rules

sudo semodule -DB

Then I restarted LightDM and took a look into the logs of setroubleshoot:

sudo journalctl -t setroubleshoot

I could find some messages regarding LightDM including a proposed solution:

sudo setsebool -P xdm_bind_vnc_tcp_port 1

Another restart of LightDM showed that it could bind port 5900 just fine and now I am able to remote into my system.

Finally don’t forget to enable the dontaudit rules:

semodule -B
2 Likes